aspose file tools*
The moose likes JDBC and the fly likes How to ensure SQL-injection isn't possible? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "How to ensure SQL-injection isn Watch "How to ensure SQL-injection isn New topic
Author

How to ensure SQL-injection isn't possible?

Yuriy Zilbergleyt
Ranch Hand

Joined: Dec 13, 2004
Posts: 429
Hello,

I know that with PreparedStatements, values automatically get escaped so a value containing a single quote, for example, won't be a problem. However I'm currently coding for MySQL, in which PreparedStatements are actually slower than Statements (because there's no native support for them I guess.) Is there a function in JDBC somewhere that automatically escapes a parameter so it can be added to a SQL string as a literal?

Similar question for the byte array of a serialized java object. Is it possible to insert one using a normal Statement?

Thank you,
Yuriy
Maximilian Xavier Stocker
Ranch Hand

Joined: Sep 20, 2005
Posts: 381
The quick answer is no there is not another method. Namely because such escaping is DB dependent which is what PreparedStatements are for.

You should stick with PreparedStatements because the security and portability benefits FAR outweigh any performance hit you are taking.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to ensure SQL-injection isn't possible?
 
Similar Threads
Handling single quotes for an insert
SQL injection?
help with getting the table name from the user input
How to count the execution time of my select statement?
Oracle cast()+PreparedStatement